News

Resources

Bitdefender, a leading global cybersecurity company protecting over 500 million users worldwide, continues to innovate with the introduction of “Detection of Cyberbullying and Online Predators” features included in Parental Control... Read More

BUCHAREST, Romania/SANTA CLARA, Calif, September 17, 2018 – a leading global cybersecurity company protecting over 500 million users across 150 countries, announced today that CRN®, a brand of The Channel... Read More

With the Ukrainian conflict in mind, an alleged hacker community from Russia installs data-stealing malware on users’ machines by pretending the software was designed to attack Western governments. Oddly enough, over 40 per cent of the infected servers are in Ukraine, according to the Bitdefender Labs.

The self-proclaimed hackers have crafted ingenious spam messages that help them deliver the Trojan to those who dislike the economic and political measures taken against Russia.

“We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country,” the malicious spam messages read.

“We have coded our answer and bellow you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions.”

After clicking the links, victims download an executable file known as Kelihos. Capable of mining sensitive browser data, internet traffic and other personal information, Kelihos first drops three clean files used to monitor traffic (WinPcap files npf.sys, packet.dll, and wpcap.dll).

The Trojan then communicates with the command and control center by exchanging encrypted messages via HTTP to retrieve further instructions.

Depending on the type of payload, Kelihos can do any of the following:

Communicate with other infected computers

Steal bitcoin wallets

Send spam emails

Steal FTP and email credentials as well as login details saved by the browsers

Download and execute other malicious files on the affected system

Monitor traffic for FTP, POP3 and SMTP protocols

“We analyzed one of the recent malicious spam waves and noticed that all the .eml files lead to setup.exe URLs, with 49 unique IPs,” Bitdefender Virus Analyst Doina Cosovan explained.

“To find out the size and distribution of the computers infected during this campaign, we relied on the fact that Kelihos uses P2P. Starting from the 49 distinctIPs, we obtained the list of domains associated to each IP address. For each resulting domain, we obtained the list of corresponding IPs. In the end, we obtained 25.680.758 IP addresses, of which only 55.981 were unique.”

The analysis suggests how interconnected and huge the botnet infrastructure is, considering that the 49 infected IP addresses are just a slice of the malicious “pie.”

“Some of the IPs might indicate the origin of servers specialized in malware distribution or other infected computers that became part of the Kelihos botnet,” Bitdefender Virus Analyst Doina Cosovan said. “As most of the infected IPs are from Ukraine, this either means that computers in the country were also infected, or that Ukraine itself is home to the main distribution servers.”

Also known as Hlux, the Kelihos botnet was discovered four years ago. It is mainly involved in bitcoin theft and spamming. The botnet has a peer-to-peer structure, where individual nodes can act as command-and-control servers for the entire botnet, allowing it to stay undetected for a longer period.

Like most botnets, Kelihos itself can be rented by other malware creators for distribution. It’s unclear whether it rents other services as well. So far, we have only seen Kelihos running on the Windows platform.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on spam samples provided courtesy of Bitdefender Spam Researcher Adrian MIRON and the technical information provided by Bitdefender Virus Analysts Doina COSOVAN and Alexandru MAXIMCIUC.

About the author

Bianca STANESCU

Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story. She's the industry news guru, who'll always keep a close eye on the AV movers and shakers and report their deeds from a fresh new perspective. Proud mother of one, she covers parental control topics, with a view to valiantly cutting a safe path for children through the Internet thicket. She likes to let words and facts speak for themselves.

[…] The Bitdefender Labs analyzed one of the recent malicious spam waves and noticed that all the .eml files lead to setup.exe links, with 49 unique IPs. Oddly enough, over 40 per cent of the infected servers are in Ukraine, according to a more detailed analysis by the Bitdefender Labs. […]

[…] The Bitdefender Labs analyzed one of the recent malicious spam waves and noticed that all the .eml files lead to setup.exe links, with 49 unique IPs. Oddly enough, over 40 per cent of the infected servers are in Ukraine, according to a more detailed analysis by the Bitdefender Labs. […]